(1) A system of records is a group of records under the control of a DA activity that are retrieved by an individual's name or by some identifying number, symbol, or other identifying particular assigned to an individual.

(2) Privacy Act systems of records must be—

(i) Authorized by Federal statute or an Executive Order;

(ii) Needed to carry out DA's mission; and

(iii) Published in the Federal Register in a system of records notice, which will provide the public an opportunity to comment before DA implements or changes the system.

(3) The mere fact that records are retrievable by a name or personal identifier is not enough. Records must actually be retrieved by a name or personal identifier. Records in a group of records that may be retrieved by a name or personal identifier but are not normally retrieved by this method are not covered by this part. However, they are covered by AR 25-55, the Department of the Army Freedom of Information Act Program.

(4) The existence of a statute or Executive Order mandating the maintenance of a system of records to perform an authorized activity does not abolish the responsibility to ensure the information in the system of records is relevant and necessary to perform the authorized activity.

(b)Privacy Act system of records notices.

(1) DA must publish notices in the Federal Register on new, amended, altered, or deleted systems of records to inform the public of the Privacy Act systems of records that it maintains. The Privacy Act requires submission of new or significantly changed systems of records to OMB and both houses of Congress before publication in the Federal Register (See Appendix E of this part).

(2) Systems managers must send a proposed notice at least 120 days before implementing a new, amended or altered system to the DA Freedom of Information and Privacy Office. The proposed or altered notice must include a narrative statement and supporting documentation. A narrative statement must contain the following items:

(i) System identifier and name;

(ii) Responsible Official, title, and phone number;

(iii) If a new system, the purpose of establishing the system or if an altered system, nature of changes proposed;

(iv) Authority for maintenance of the system;

(v) Probable or potential effects of the system on the privacy of individuals;

(vi) Whether the system is being maintained, in whole or in part, by a contractor;

(vii) Steps taken to minimize risk of unauthorized access;

(viii) Routine use compatibility;

(ix) Office of Management and Budget information collection requirements; and

(x) Supporting documentation as an attachment. Also as an attachment should be the proposed new or altered system notice for publication in the Federal Register.

(3) An amended or altered system of records is one that has one or more of the following:

(i) A significant increase in the number, type, or category of individuals about whom records are maintained;

(ii) A change that expands the types of categories of information maintained;

(iii) A change that alters the purpose for which the information is used;

(iv) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records;

(v) An addition of an exemption pursuant to Section (j) or (k) of the Act; or

(7) For new systems, system managers must establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records. This applies to all new systems of records whether maintained manually or automated.

(i) One safeguard plan is the development and use of a Privacy Impact Assessment (PIA) mandated by the E-Gov Act of 2002, Section 208. The Office of Management and Budget specifically directs that a PIA be conducted, reviewed, and published for all new or significantly altered information in identifiable form collected from or about the members of the public. The PIA describes the appropriate administrative, technical, and physical safeguards for new automated systems. This will assist in the protection against any anticipated threats or hazards to the security or integrity of data, which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Contact your local Information Officer for guidance on conducting a PIA.

(ii) The development of appropriate safeguards must be tailored to the requirements of the system as well as other factors, such as the system environment, location, and accessibility.

Title 32 published on .

The following are only the Rules published in the Federal Register after the published date of Title 32.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

The rule will be effective on May 7, 2015 unless comments are received that would result in a contrary determination. Comments will be accepted on or before April 27, 2015.

32 CFR Part 505

Summary

The Department of the Army is amending the Army Privacy Program Regulation. Specifically, Army is reinstating exemptions that were mistakenly deleted when the Army's Privacy Program Regulation was last revised. These rules provide policies and procedures for the Army's implementation of the Privacy Act of 1974, as amended. This direct final rule makes changes to the Department of the Army's Privacy Program rules. These changes will allow the Department to exempt records from certain portions of the Privacy Act. This will improve the efficiency and effectiveness of DoD's program by preserving the exempt status of the records when the purposes underlying the exemption are valid and necessary to protect the contents of the records. This rule is being published as a direct final rule as the Department of Defense does not expect to receive any adverse comments, and so a proposed rule is unnecessary. The revisions to these rules are part of DoD's retrospective plan under Executive Order 13563 completed in August 2011. DoD's full plan can be accessed at http://www.whitehouse.gov/sites/default/files/other/2011-regulatory-action-plans/departmentofdefenseregulatoryreformplanaugust2011a.pdf.

The Department of the Army is amending its rule on notification of the Army Litigation Division when complaints citing the Privacy Act are filed in order to correct the mailing address in § 505.12. The address for notifying the Army Litigation Division of cases citing the Privacy Act and filed in a U.S. District Court has changed.

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

The rule will be effective on May 7, 2015 unless comments are received that would result in a contrary determination. Comments will be accepted on or before April 27, 2015.

32 CFR Part 505

Summary

The Department of the Army is amending the Army Privacy Program Regulation. Specifically, Army is reinstating exemptions that were mistakenly deleted when the Army's Privacy Program Regulation was last revised. These rules provide policies and procedures for the Army's implementation of the Privacy Act of 1974, as amended. This direct final rule makes changes to the Department of the Army's Privacy Program rules. These changes will allow the Department to exempt records from certain portions of the Privacy Act. This will improve the efficiency and effectiveness of DoD's program by preserving the exempt status of the records when the purposes underlying the exemption are valid and necessary to protect the contents of the records. This rule is being published as a direct final rule as the Department of Defense does not expect to receive any adverse comments, and so a proposed rule is unnecessary. The revisions to these rules are part of DoD's retrospective plan under Executive Order 13563 completed in August 2011. DoD's full plan can be accessed at http://www.whitehouse.gov/sites/default/files/other/2011-regulatory-action-plans/departmentofdefenseregulatoryreformplanaugust2011a.pdf.